Law Enforcement Access to Communications Systems in a Digital Age

before the
Subcommittee on Telecommunications and the Internet
House Committee on Energy and Commerce

Law Enforcement Access to Communications Systems in a Digital Age

September 8, 2004

Chairman Upton, Congressman Markey, and Members of the Subcommittee, thank you for the opportunity to testify today.

Especially in the face of terrorism, the question of law enforcement access to communications systems is vitally important. However, the Justice Department and the Federal Communications Commission are trying to force the Internet into a 20th century mold. In terms of innovation, cost, privacy, network security, and national security, this is the wrong approach. Instead of making the Internet look like the telephone system of the past, the FBI and other law enforcement agencies need to acquire in-house capabilities to analyze digital communications. They should use the Internet, not try to control it. Keeping pace with technology should not require slowing it down.

Law Enforcement Mandates Designed for the Telephone Network Are Not Suited — Nor Are They Needed — for the Internet

To understand why the Justice Department's approach is unnecessary, unwise and unlikely to be effective, think of the ways in which the Internet is different from the traditional telephone network of the past. In the old days, when law enforcement agencies first started lawfully wiretapping telephones, the Ma Bell monopoly owned and controlled the entire network, right down to the phone on your desk. Such a centralized system was reliable, but it was limited. Innovation was discouraged. Competition was essentially non-existent. Prices were regulated but relatively high, and usage was cautious.

Now consider the Internet. It is open, competitive, decentralized. It supports a multiplicity of applications, not only voice, but also photography, data, and video. It supports one to one, many to one, and one to many communication. It pushes control to the edges, giving users far more choices then they ever had. It has no gatekeepers. It intermeshes wireline, wireless, cable and satellite. It is innovative, inexpensive, and global. Education, commerce, medicine and government have reaped the benefits.

In the context of today's hearing, the Department of Justice complains about the Internet's diversity, but in many ways the digital age is the age of surveillance. More personal information than ever before is transmitted, collected and stored in electronic form. In many ways, law enforcement has embraced the digital revolution. Every year, the number of wiretaps goes up. Undercover agents lurk in Internet chats. Police track suspects through cell phones and reconstruct past movements from EZ Pass logs. The FBI can plant on your computer a keystroke monitor to copy letters you never send. Agents seize computer disks holding information that would fill truckloads if printed out. Voluminous dialing records are analyzed by computer. Conversations intercepted in New York are shipped across country for translation. A computer in Russia can be searched from the US.

So despite some of the dire rhetoric you may hear, the Internet is already tappable today, both legally and from a technical standpoint. The government has full legal authority to tap broadband Internet access and Internet communications of all kinds. The government also has all the legal authority it needs to compel broadband access providers and Voice over Internet Protocol (VoIP) service providers to cooperate with court orders for interception. 18 U.S.C. § 2518(4). And from a practical standpoint, law enforcement agencies currently have and in the foreseeable future will continue to have the capability to intercept communications over broadband. In some ways, interception may be less convenient, in that law enforcement may have to go to different entities to obtain content and routing information. And given the diversity of services, the information will come in different formats and law enforcement will have to work harder to determine what it is intercepting. In other ways, however, Internet surveillance will be easier, in that the digital nature of communications makes them easier to analyze, store, and retrieve. Last year, for example, according to the government's official Wiretap Report, out of 1,442 authorized wiretaps nationwide, the most active was the interception of a broadband Internet line.[2]

The only question – and it is a big question – is whether additional authority is needed for the government to insert certain features into Internet services to make them easier to tap. Answering that question requires, first, a detailed, technical inquiry into whether there are any problems associated with Internet surveillance. It then requires a detailed, technical exploration of how those problems can be solved, with consideration of the various costs and risks of different solutions. Throughout, it is important to keep in mind the ways in which the architecture of the Internet is different from the traditional telephone network.

CALEA Was Designed for the Traditional Public Switched Telephone Network

In the 1990s, Congress conducted such an inquiry with respect to the public switched telephone network. It found that there were some problems posed by then- relatively new technology in the PSTN, and it concluded that the solutions lay in redesign of the central office switches of the telephone companies. The result was the Communications Assistance for Law Enforcement Act (CALEA).

CALEA is a 20th century statute for 20th century technology. CALEA was designed for the centralized, relatively monopolized, and circuit switched world of the traditional telephone common carriage – entities already subject to a range of regulatory burdens. The proposed solution focused on central office switches. That is where the documented problems were. The carriers operating those switches used for routing and billing purposes the information they thought the government wanted. The switch manufacturers thought it would be relatively easy to build in the ability to meet the government's requests as they were described in the legislative hearings.

CALEA has not worked all that well even for the PSTN – the government ended up demanding a lot more functionality, including features not available with the traditional wiretaps — but the Internet is fundamentally different from the PSTN and requires a different approach.

Congress was crystal clear – CALEA was not intended for the Internet. To make this point, Congress took not merely a belt and suspenders approach, but added safety pins as well. It said that CALEA applied only to common carriers, and only to the extent that they are providing telecommunications services. It excluded information services, and it said that even if an information service became a substantial replacement for the PSTN in a particular region, it would still be excluded from the requirements of CALEA.

At the time, the term information services was shorthand for the Internet and the applications running over it (among other services). The term information services was broadly defined to cover current and future advanced software and software-based electronic messaging services, including email, text, voice and video services. Narrowband Internet access and Internet applications like email fit squarely within the definition. As the broadband Internet has evolved, it continues to be outside the scope of telecommunications common carriage, and Internet-based telephony services, like all other Internet applications, fit squarely within the definition of information services.

The legislative history confirms the plain meaning of the statute. The Committee Report states that CALEA obligations do not apply to information services, such as electronic mail services, or on-line services, such as CompuServe, Prodigy, America On-line or Mead Data, or Internet service providers.Telecommunications Carrier Assistance to the Government, H.R. Rep. 103-827(I), at 23 (Oct. 4, 1994) (House Report). As the FBI Director testified, CALEA was narrowly focused on where the vast majority of our problems exist — the networks of common carriers, a segment of the industry which historically has been subject to regulation.[3]

Reading the statute and legislative history, both the FCC itself and the D.C. Circuit in the past held that CALEA does not apply to the Internet. In 1999, the FCC concluded that information services such as electronic mail providers and on-line service providers are exempt from CALEA. In the Matter of Communications Assistance for Law Enforcement Act, Second Report and Order, 15 FCC Rcd 7105, at � 26 (1999). The D.C Court of Appeals stated, CALEA does not cover 'information services' such as email and internet access.United States Telecom Ass'n v. FCC, 227 F.3d 450, 455 (D.C. Cir. 2000).

The FCC has recently issued a Notice of Proposed Rulemaking, tentatively concluding that CALEA should apply to broadband Internet access and managed Voice over Internet Protocol (VoIP) services. The NPRM is purely results-oriented. The Commission looked at the urgency of the terrorist threat, and jumped straight to the conclusion that CALEA should be extended to the Internet. To do so, it admitted that it was ignoring the language of the Act and contradicting its own earlier decisions about the regulatory status of broadband access. Three Commissioners hinted in separate statements that the Commission's rationale would not withstand judicial scrutiny.

Congress Needs to Conduct a Factual Inquiry

The first step in responding to the arguments of the Department of Justice must be a clear showing of need: what are the problems that law enforcement is encountering? In the early 1990s, during the George H.W. Bush Administration and then in the Clinton Administration, when the FBI began complaining that technological changes in the PSTN were interfering with law enforcement's ability to carry out wiretaps, Congress refused to adopt a sweeping regulatory mandate. Instead, Congress insisted first and foremost on a factual inquiry into what exactly were the problems being encountered by law enforcement. Hearings were held. The General Accounting Office conducted two studies. The FBI surveyed its field offices twice. Industry and law enforcement convened action teams to study the concerns of law enforcement and possible solutions. At the end of the process, industry representatives agreed that new technologies were defeating law enforcement surveillance. Some of the problems had to do with features such as call forwarding and speed dialing. Others had to do with the transition to multiplexed lines and fiber optic cables. Most had to do with the lack of sufficient capacity on switches to simultaneously accommodate a large number of intercepts.[4]

In 2004, the DOJ/FBI petition and the FCC's 101 page NPRM are devoid of any factual discussion of problems justifying extension of CALEA. In the 1990s, when arguing for CALEA, the FBI Director talked about a de facto repeal of the wiretap laws. The lack of capacity to accommodate multiple intercepts on wireless switches, which accounted for the majority of problems documented in the 1990s, represented a complete shutout for law enforcement. But in the Internet context, the FCC's recent NPRM refers to problems such not getting exactly the same information on broadband communications that is available in the PSTN, or not having the information delivered in a familiar format. These are not the magnitude of problem that justified Congress adopting CALEA for the already well-regulated telecommunications common carriers – they surely do not justify a regulatory mandate for the Internet. Is there a problem of not having access at a single point to all features and services used by a surveillance target? Even with respect to the PSTN, CALEA was not intended to guarantee one-stop shopping for law enforcement. Are there difficulties in determining which service provider or which kinds of services a particular suspect is using? If so, that seems to be an unavoidable byproduct of the diversity of services that our telecommunications policy has wisely fostered, not a problem requiring design mandates.

The second step should be a showing of what would a design mandate for the Internet look like. In this regard, Congress would have to be very careful and insist on more specificity than it did in 1994. In applying CALEA to the PSTN, the FCC adopted an elastic interpretation of CALEA's definitions, requiring carriers to build into their systems surveillance features that went beyond what had been available to law enforcement in traditional systems. For example, the FCC gave five different meanings to the word origin in the definition of call-identifying information.[5] Such flexibility applied to the Internet could produce endless demands.

In some ways, the debate today is reminiscent of the encryption debate of 10 years ago. Law enforcement agencies felt threatened by encryption. They thought it meant terrorists and drug dealers could communicate in perfect confidentiality. The government argued that encryption had to be dumbed down or built with backdoors for easy government access. After a long debate, Congress and the Administration decided that the technology should not be controlled. Law enforcement and intelligence agencies adjusted. Beginning with the 2000 Wiretap Report, the government has been required to report on whether encryption was preventing law enforcement officials from obtaining the plain text of communications intercepted pursuant to the court orders. So far, the government has not reported a single wiretap frustrated by encryption. In 2003, no federal agencies conducting wiretaps reported that encryption was encountered. For state and local jurisdictions, encryption was reported to have been encountered in one wiretap in 2003; however, the encryption was not reported to have prevented law enforcement officials from obtaining the plain text of communications intercepted.

CALEA Has Not Been Very Successful Even as Applied to the PSTN

Even as applied to the relatively centralized PSTN, CALEA has not worked well. The FBI and DOJ admitted as much in their petition to the FCC. Indeed, their petition was almost schizophrenic: the first half argued that the Internet should be brought within the regulatory scheme of CALEA while the second half laid out a litany of delays, confusion and controversy under CALEA as applied to the PSTN.[6] The DOJ and FBI stated that the CALEA implementation process is not working. Petition, at 38. They cited problems and delays,id. at 53; a seemingly endless cycle of extensions that have consistently plagued the CALEA compliance process,id. at 55; and more problems and delays,id.

This record of disfunctionality is confirmed by a report by the Office of the Inspector General (OIG) of the U.S. Department of Justice, issued on April 7, 2004. The OIG's biannual audit, mandated by CALEA, evaluates the progress of CALEA compliance, and finds broad problems. The report notes that costs of CALEA for the PSTN have been much higher than Congress anticipated. Most troubling, according to FBI estimates, CALEA compliant software has been activated on only 10 to 20 percent of wireline equipment. The report also shows that the FBI's insistence on it punchlist has caused enormous problems within the CALEA standards setting efforts of industry. Most remarkably, the report finds that the FBI was unable to demonstrate the extent to which lawful surveillance has been adversely impacted by the lack of CALEA implementation.[7]

Simply put, CALEA has proven to be a flawed statute. As to why, there is probably enough blame to go around. One key factor is that, contrary to Congress' intent, the FBI exercised de facto power to impose specific design mandates on the PSTN, and it used this power to impose on industry surveillance features that not only went beyond the capabilities of the traditional telephone system but that could have been procured by law enforcement itself for less expense. For example, the FCC imposed at least $120 million in costs on industry to obtain one feature known as dialed digit extraction, which requires local exchange carriers, after call set-up, to reach into the content of the communications and extract additional dialed numbers, such as the numbers called on a long distance calling card. The FBI could have obtained the information it wanted by going to the providers of long distance services, but it wanted to obtain the information more conveniently through the local phone system. Indeed, the FBI could have purchased the extraction devices itself and attached them as necessary, a solution that the FBI itself estimated would cost no more than $20 million a year, but instead the FBI insisted that all carriers install them on all switches.

Going Forward: Meeting Law Enforcement Needs in a Way Suited to the Decentralized, Innovative Internet

Clearly, a different approach is needed for the Internet. As we suggested at the outset, that solution must take into account the decentralized, innovative, user-controlled nature of the Internet.

There are three possible approaches: One is the internal approach of CALEA, which DOJ is proposing to impose on the Internet, requiring extensive standards processes, detailed specifications, and FCC enforcement to require access providers and service providers to build capabilities into their equipment and software. The second is what the FCC refers to as the trusted third party approach, in which a service bureau sits between the service provider and the law enforcement agency, analyzing packets, extracting signaling information, and formatting it for the convenience of law enforcement.

There is a third approach, which is suggested by the service bureau model: Instead of forcing industry to redesign its products and services to meet government specifications, law enforcement should itself develop (or acquire from the service bureaus) the capabilities to analyze packet communications. In other words, law enforcement should develop the capability to extract call-identifying information from packet streams. Even CALEA only requires carriers to deliver call-identifying information to law enforcement – it imposes no formatting requirements on service providers. Moreover, the government will have to develop the capability to analyze packets in-house anyhow, because it will have to be able to deal with sophisticated criminals who can entirely avoid service providers and communicate directly and with custom-built protocols. Perhaps Congress should appropriate additional funds to the FBI to keep pace with technology in this way and to support state and local law enforcement efforts to do the same.

This third approach – a fundamentally non-regulatory approach — illustrates how the assumptions that applied to CALEA in the PSTN are probably inapplicable to the Internet. The Internet may not need a detailed technical standard the way the circuit switched environment does. The call processing technology that once existed solely in the control of the monopolistic telephone company is now available from third parties. This approach also has the advantage of being consistent with the layered nature of the Internet's architecture. Arguably, the focus of interception should be at the transport layer, not at the application layer, and the provider of transport services should be obligated only to isolate and deliver to law enforcement the data stream associated with a particular subscriber. This could be coupled with technical and legal audits to ensure that the government is only recording what it is legally authorized to intercept.

Conclusion

Congress has taken a relatively non-regulatory approach to the Internet and has refrained from applying to the Internet common carriage status and other regulatory burdens applied to telephone companies. The Internet's rapid growth and innovation attest to the wisdom of this policy. We are now in a time of transition from the narrowband, dial-up Internet of the past to the broadband Internet. The high speed Internet access available via cable modem and digital subscriber lines (DSL) is capable of carrying voice communications of high quality, as well as numerous other applications. This is precisely the wrong time to shoe-horn the Internet into the telecommunications regulatory structure.

The Internet and applications like Voice over Internet Protocol (VOIP) services are different from traditional telecommunications services, so significantly different that they have not been and should not be regulated under the traditional regulatory framework for telecommunications. For reasons that are still valid today, the Internet and Internet applications were not included in the regulatory mandates of CALEA. After an in-depth factual inquiry in the early 1990s, Congress focused on specific problems law enforcement agencies were encountering in carrying out surveillance in the PSTN. With CALEA, Congress imposed design obligations on already heavily regulated telecommunications common carriers. Congress expressly excluded the Internet from those design mandates, not only because it was committed to the non-regulatory approach, but also because it found no problems on the Internet, and because it was uncertain of how surveillance mandates would translate to the Internet.

The regulatory framework of CALEA is not suitable for the Internet and Internet applications. The FBI and the Justice Department are absolutely correct when they say that the world of communications has changed dramatically since CALEA was enacted. That is exactly why applying a 10-year-old law to this rapidly evolving technology would be a mistake. CALEA-type mandates would drive up costs, impair and delay innovation, threaten privacy, jeopardize Internet security, and force development of the latest Internet innovations offshore.

Most importantly, the centralized design mandates of CALEA are not necessary. The government itself can acquire the technology it needs to interpret Internet communications. It will have to do so in case, because there will always be custom-built services and applications outside its reach. The sooner it abandons its efforts to dictate surveillance features to industry, the sooner it can get on with the task of keeping pace with technology.

Notes

[1] The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values for the new digital communications media. Our core goals include enhancing privacy protections and preserving the open architecture of the Internet. Among other activities, CDT coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for computer, communications, and public interest organizations, companies and associations interested in communications privacy and security issues.

[2] "Report of the Director of the Administrative Office of the United States Courts on Applications for Orders Authorizing or Approving the Interception of Wire, Oral, or Electronic Communications," issued April 30, 2004, available at http://www.uscourts.gov/wiretap03/contents.html.

[5] �Origin� refers, of course, to the phone number of the party initiating a call. The FCC ruled, however, that �origin� also means the signal indicating that a call is waiting, Third Report and Order, In the Matter of Communications Assistance for Law Enforcement Act, 14 FCC Rcd 16794 (1999) � 82; use of the flash key on the telephone to switch back and forth between two established calls, id.; putting a party on hold, id. � 74; and the location of a wireless phone caller at the beginning and end of a call, id. � 44.